Research And Implementation Of Network Log Management And Analysis Technology

There are a large number of logs exiting in the information system, such as operating system log, firewall log, and database log etc. The logs contain important information which is linked to system activities, for instance, program crash, data modification, user’s behavior, and system state. From the view of security, we can obtain useful information from the logs considering their important value. Therefore, the logs are easy to become the target of attackers. In view of this situation, this thesis did a research from the aspects of log management and log analysis. On the one hand, we can protect the logs from being damaged by attackers. On the other hand, we can use related technology to make an automated analysis of the logs, thus we could find information related to the system security.The thesis mainly finishes the following works:In respect of log management, a kind of logs protection mechanism based on TCM (Trusted Platform Module) was put forward. Except TCM, this mechanism also includes some related technologies, such as Merkle tree, elliptic curve encryption, and public key combination etc. In terms of log analysis, we first preprocess those log data, which includes log parsing and log standardization. Then we apply the random forest algorithm to log analysis and improve it in light of the characteristic of log data to make log analysis meet the actual demand. In the thesis, the improved random forest algorithm is applied to the process of model training and classification to recognize security event. Moreover, in order to understand the security situation of information systems, we use the AHP (Analytic Hierarchy Process) method for security situation evaluation. A multi-level network log management and analysis system was designed to integrate those technologies involved and implement it practically from all levels. Finally, a series of experiments were conducted on real log dataset to verify the effectiveness of random forest algorithm in security event recognition and the feasibility of the AHP in security situation evaluation.The experiment results show that the improved random forest algorithm proposed in this paper is suitable for log analysis and performs better than the traditional one in the accuracy of security event recognition. Besides, we could obtain the security situational values with the security situation evaluation technology based on the AHP method, which can reflect the network security situation of information systems.